How SSH keys grant access
SSH keys are cryptographic key pairs used instead of passwords for logging into Linux and Unix systems, network devices and code repositories. The private key stays with the user or application; the public key is placed in an authorized_keys file on every server that should accept it. Whoever holds the private key gets in — no password prompt, and in most default setups, no expiry date.
That convenience is exactly the management problem. Any user can mint new key pairs and distribute public keys without involving IT, so over years an environment accumulates thousands of keys: keys of departed employees, keys shared between teams, keys copied into automation scripts, and keys granting root that nobody remembers creating.
Why unmanaged keys are dangerous
Unlike passwords, SSH keys are rarely covered by expiry policies, MFA or offboarding checklists. A private key copied to a laptop before an employee left still opens production servers years later. Keys also chain: a compromised server may hold private keys that open further servers, letting attackers traverse an estate silently along trust relationships that no one has mapped.
Audits repeatedly find that organizations cannot answer basic questions — which keys exist, what they grant, who holds the private halves and when they were last used. Compliance frameworks that require credential lifecycle control apply to keys just as much as passwords, but keys are far easier to overlook because they live in scattered files rather than a directory.
Managing SSH keys in practice
A key management program starts with an inventory: scanning servers for authorized_keys entries and private key files, mapping which keys open which accounts, and removing orphans. Policy follows — approved key algorithms and lengths, mandatory passphrases, a ban on shared keys, and rotation schedules for the keys that remain.
The strongest pattern removes standing keys altogether: administrators authenticate to a PAM gateway with their personal identity and MFA, and the gateway holds or injects the server credential for the session. Monopam applies this model by vaulting SSH credentials and opening recorded, browser-based SSH sessions, so private keys never need to live on user laptops at all.